Banking Trojans as a Service—Theft Made Straightforward in Brazil

By | June 30, 2016


As a identified banking Trojan middle, it’s not stunning when Brazil’s cybercriminals launch what could possibly be thought of “banking Trojans as a service.” On this explicit case, a talented cybercriminal began providing a totally practical banking Trojan and its related infrastructure for lease, for use by less-skilled crooks.

This explicit risk caught our eye due to its advert, which included demonstration movies on YouTube. Its creator, “Ric”, presents the providers of this specific banking Trojan for lease, which prices roughly US$600 for a 10-day interval. The service features a complete, extremely succesful, and well-designed console, in addition to the aptitude to bypass extra authentication steps utilized by banks in Brazil.


Brazilian cybercriminals are identified for promoting providers on-line, and Ric isn’t any completely different. He makes use of a YouTube account to indicate off his merchandise, as seen beneath.

Determine 1. Youtube profile (Click on to enlarge)

The channel description interprets to “banking Trojan for rental or supply code sale, greater than 9 banks supported, model 2016.”

The three uploaded movies present totally different features of the banking Trojan; collectively, these have nearly 1,000 views. Every video description accommodates a hyperlink to a web page with cost strategies. Ric additionally revealed his Skype username in order that clients might negotiate with him. We imagine Ric works by himself and isn’t half of a bigger syndicate.

Ric additionally supplies an informative changelog of the Trojan in order that clients learn about any adjustments/enhancements on the malware. (We detect this specific Trojan as BKDR_MANGIT.SM.)


Determine 2. Changelog of malware

A desk with the entire “supported” banks can also be offered:

Determine three. Listing of goal banks and different web sites

The biggest banks in Brazil are included within the listing, in addition to on-line cost websites like PayPal and Mercado Livre, a neighborhood auctions web site. Different websites corresponding to these of ISPs and webmail suppliers are additionally within the record.

Your complete bundle is offered for two,000 Brazilian reals (slightly below US$600), legitimate for a 10-day interval. That is comparatively costly for the Brazilian underground. The package deal contains the next:

  • A management panel to handle/function affected machines
  • The precise banking Trojan
  • A loader/dropper/infector
  • An auto-update program for affected machines
  • All of the infrastructure required to efficiently perform assaults

For customers who need full management over their assaults and may present their very own infrastructure, the supply code is accessible for 30,000 reals, roughly US$eight,800.

How the assault works

If a would-be cybercriminal does buy this “service,” he receives a hyperlink to the administration portal, with credentials legitimate in the course of the bought rental interval. He must set a dynamic DNS service to level his victims to the supplied infrastructure. He’s additionally liable for getting customers to go to this malicious URL. Phishing remains to be the popular technique.

Brazilian banks in the present day shield many accounts with some type of two-factor authentication. A code obtained through both SMS messages or an authenticator app are the preferred methods of implementing two-factor authentication. To get round this safety, Ric doesn’t assault the authentication protocol itself; however as an alternative bypasses it utilizing distant entry as follows:

  1. As soon as the Trojan is put in on the sufferer’s machine, the attacker has full management over it.
  2. When the sufferer accesses the financial institution’s web site, the attacker receives an alert (this alert may even be despatched by way of SMS).
  3. The attacker then begins to observe the sufferer’s display and waits for him to log in to his checking account.
  4. After that, he locks the sufferer’s display screen. The message proven is designed to make him assume the financial institution web site is asking him to attend.
  5. The attacker takes management of the sufferer’s machine and begins a cash switch or invoice cost.
  6. When the financial institution web site asks the operator for the token, the operator unlocks the sufferer’s display and makes a pretend token request window seem, making him assume he must enter the token to proceed.
  7. With possession of the token, the attacker can then full the malicious transaction.

There could also be some variations to account for various banks, however the gist of the assault doesn’t change. Present Brazilian banking Trojans have develop into much less of knowledge stealers and extra of distant administration instruments which are meant for malicious use.

The next is a screenshot of the management panel:

Determine four. Management panel for malware

Within the screenshot, Ric is controlling a sufferer’s machine and might ask the sufferer to enter data like their safety code, token, birthday, cell phone quantity, all utilizing faux financial institution pop-ups. The applying is full-featured and behaves very similar to a professionally-created “instrument” would.

This capability to hold out transactions from the sufferer’s machine remotely makes detecting fraud harder. With out an in-depth examination of the person’s system, it’s going to seem that any transactions had been carried out from the consumer’s PC (and subsequently, by the precise shopper). Fraud detection strategies should depend on different methods.

Who’s Ric?

We don’t truly know so much about Ric, the one that created this risk. What we do know is that his “work” is of remarkably prime quality. All the pieces is coded from scratch and typically packers are used to guard his information. Some samples have additionally been signed with self-assigned certificates to attempt to bypass safety software program.

Ric has no less than different three nicknames and might be situated within the northern area of Brazil. This a part of the nation is a identified hotbed for cybercriminal exercise. Final 12 months, we talked about one other younger cybercriminal based mostly in northern Brazil who glided by the deal with “Lordfenix.”

Members of cybercrime gangs have been arrested within the area up to now as properly.

Indicators of compromise

The next file hashes are associated to this assault:

  • 0544ddf37ba1fa1cd1406e3230b71665f4d7f0e4
  • 0a07ffa9214300a2b344012c891d21eca3fe518b
  • 1248a4e8deba0969b157b04fd092e74e19819244
  • 148959187df82a064d5117cad1390c123bd631fd
  • 1bd6afddb00c2c3ebcd6f7804e2190b43c493989
  • 1ce922aae75bf64012cab8d450f0d9885b159436
  • 2021d0cd76069b0aa95cf9598720c9e1d65fe91f
  • 2416b15f97528dd8186ac755e08c4f7668c02dad
  • 245be19ca07d337b9fbe47674d25fb51459e3d44
  • 259e299670e8a1e7d2f46c5782045b3153e5d6a9
  • 2a2593cf050f30ae8ed4b9dd1807ca6f521b6d6a
  • 2a7cc963e16abafa89ac8d56cc09668095a5a73a
  • 30f06f3a9781cb50ae66ca1aa12c0503bbf08fad
  • 34f3406a7441c3c7b21ffa0877e068e609a84050
  • 3b7ad12650d9fd3db96781d5ba1267b70173ba6f
  • 4108227957af840bae040e19473eb4d8b44b96d0
  • 44bfd351bb56168433176914dfbd802c7d5d0d62
  • 463720e81a715502f358f130f19aefcba197f61e
  • 494c70aa394c9ac2357ffd24015fdf6520fc099e
  • 4977d5ee347b165754ff7aeed1d7558c57470e47
  • 54d5c67a0ec3369470c5ef3e349a8388ec16d129
  • 5638de1f210601fbaad485a2697e025c74d3c115
  • 591ff4b508dd2a95cb7902b8ee053faedc499cde
  • 5e486833c60b71e06875413bc65e5e04294a477f
  • 5f6d52c6e522b85e42795aa92080571013789edc
  • 63f7cb0269c6025bedcbf5d504b017a2a6040922
  • 63f7cb0269c6025bedcbf5d504b017a2a6040922
  • 6f5ec43f961aed5ca1636a3076d20c194ac224a6
  • 6fe8e9bc672075d67b7fcca8d91cf2965ff8faad
  • 712f9abcda812bce969aabf737c2941e61a8c721
  • 766e61c2fa635889d37b7102df962898493b51advert
  • 79d263d20f90510fbac226fd74advert62e1a1c8d5d9
  • 7b375374634c14ea44096b6867c5efe422792a18
  • 7c2d0da47c6e25bd71df95b92af623bb3f9fdffb
  • 7d010b949297d5c9c2a48ee576516ddae2d4cdcb
  • 8463a6b1c20d21d402880901e2d8835fbca4684b
  • 86f8832e4feec308d9502a68d387fccc781a07e1
  • 884486e940e83da215d891d11d28e30edf63ac4e
  • 88a2f63ae6cd0d0e78d0da8554436fd4e62fad14
  • 8ea8fce842c9e793a8c19ffba17b86c89b15ac48
  • 9bf2e20ccc8ad7e609b6c69cc63adaabd2b9a035
  • 9c9934009a8087733e7c31c53af034c82ea534cb
  • a9a266c5b71c20f5a1cde9227030dc94622e7c5e
  • af350a24879f47b6b65abb9e3cda5b1545256979
  • b024a8770e3e76c61149fcfbb151dcf824f8268e
  • b14865b3f7c4ab15661ec06084a6bc90ae0ef92a
  • b15051e1287ac53c93e388aae52e7986dbd7d3c6
  • b1eab55c914c0883490fbc97f084c5798faa00a6
  • c286dfc1b19bb5d758ce84d062dbd838b83c1912
  • c8f90cbabbdc79f406505cfa7822c1b6ab668mattress
  • d170fbbad42d66f17ae29d88c3ef03241f936310
  • d3415207af815b94880b3ec9397159009722595f
  • d7a7345f91c2ec5950844db3a30b19f647bd534e
  • d9aecea5197780c88c642f0b864391f5e5f3493a
  • e0e0c1ec46cc5b740e73cffb4b3e6491bc049852
  • e16fa5a4802915b9975e7883ccbb6de105f3919f
  • e1bfec0463f02b46e317c28b4f9f3cecd2612481
  • e22a3464a0036d66ebe50b16cfe30335167c2a43
  • e2a1ea56b151147b58451b8b5799d1c268975d3d
  • e380816231cff0967ff77c55bfadf60d76b4259d
  • e6200a0020f164798d41a068734a20befa7effc1
  • e65cb02eb39f64681eeed1cb7865ac66b6fd37c3
  • ec2493b621a960900f8fcc749eb8ab7bacd70f7b
  • f5728c4d3f94e6fc9399f243beaa795a9f728224
  • f68cfd93bee778249d95cc67dc853advert22d149d67
  • f849382d3bdb6b0d945cd29a3c85e52863c0a0d9
  • f8e8dd3d5f18e4414db85caa467492c064af8276

It’s associated to the next web sites and URLs:

  • hxxp://
  • hxxp://

Please check this great service at: or visit FREE SERVICES menu
[Total: 0    Average: 0/5]